Bitcoin Forum

This is a thread to answer questions on the StrongCoin key and clue field leak.

this is me caring

+1

1) what was the bug? what do you mean by "interface"?
2) what are you doing to prevent such bugs from occurring again?
3) do you know of anyone's coins being stolen?

http://anonmgur.com/up/bd6ec316d9938298b9d5373fa3d08a37.png (http://anonmgur.com/up/bd6ec316d9938298b9d5373fa3d08a37.png)

I used StrongCoin once. Then I seen their 1% fee. Seriously? I can transfer my own money for free and more securely.

Can you explain what happened? I looked at strongcoin once but compared to blockchain.info they didn't seem to offer much.

I see I signed up for it at some point. Balance is zero. Perhaps it always was. Can't remember and there's no history. O well...

deja vu, never mind :p !

1. It was possible to change the id in a URL and see another users encrypted key. That is now fixed.
2. I'm posting a notice on the site to advise people to use longer passwords. There was already a widget to give the user feedback as to how strong there password was.
3. Yes.

LOL, why would anyone want to use it exactly.

No.

This sounds like the whole source code of the site should undergo a very tight review and penetration testing ASAP.

^THIS

As far as online wallets go, StrongCoin seems pretty secure, but is there any legitimate reason to use an online wallet?

(Unless you were stupid enough to buy a Chromebook, then I have no sympathy for you)

Benefits are.

1. Ease of use, nothing to install.
2. You don't have to do your own backups.
3. Accessible from anywhere.

You're an idiot however, and that's not fixable. Who codes like that?!

It is going to be interesting the day that blockchain.info leaks encrypted wallets. I wonder how many out of their 175.000 wallets use insecure passwords.

+1

Already happened!

Sauce?

Any more information?

There is another problem.

The App uses 2 external JS for google analytics and mixpanel. While these are both trustworthy companies, basically a bad actor there could monitor passwords and private keys.

I'd recommend that any browser wallet not include any externally controlled javascripts.

P

I'd like a little more transparency please. While using your service, you made it sound that no one would know the private key because it was encrypted with your the user's password for that specific key. Even if someone could view another persons account page, how would they still have access to the key since they don't know the password to the encrypted key?

Thanks and sorry you're going through the growing pains here.

They could see the key, but it was still AES 256 encrypted. So they would see something like

U2FsdGVkX19ZvPGX+4T98zGnTjwKs1CmkzXpm8fEJjzuubAY/3wg1JoC6BcqiqR6
mKhdlqyLTeRHc59VfW9ebfwWOfOKnK9qqN8TXXSL4Nw=

So the issue here is that if a user had a low quality password and had given extra info in the clue field then there is a chance they have lost coins.

By "encrypted key" you mean the encrypted password which is used to log into one's account? If so, were usernames leaked as well?

For the record: blockchain.info/wallet (http://blockchain.info/wallet) stores your wallet locally and on their servers, encrypted at both places and only ever decrypted on your computer. Looks like StrongCoin was a bit late to the party.  :P
And it doesn't charge a 1% fee.
And you can do 'off-site backups' by email, Dropbox and Google Drive - yes, you can keep your wallet.
Blockchain.info wins!
(and it doesn't leak keys  :-\)

I mean a bitcoin private key encrypted in AES 256. The AES 256 encryption is performed on the client side (javascript) using a password the user supplies. I never see that password.

So basically in StrongCoin when a private key is created, it is create in the browser. The user supplies a password to the Javascript and then Javascript AES encrypts the private key before sending it to the server.

So we only have AES encrypted private keys and a clue field. The user could supply a clue to help them remember the password. Some users may have given too much information in the clue field.

The AES encrypted key (still protected) was leaked along with the clue field.

The clue field has now been removed from Strongcoin and a warning added to encourage users to create more secure passwords.

We were around before Blockchain.info i.e. 2011 https://bitcointalk.org/index.php?topic=36169.0

Thank you for explaining.
So, I guess that your web app has full access to all tables of your DB?

What do you think about creating a separate DB user for each wallet account. This way there will be no way a user could see other users' tables. Certainly, this will kill DB performance. But who cares about performance when money is at stake?

Will people read FAQs? Will people implement the better solutions as demonstrated? Etc.

Agree, laziness and ego got in the way I think!

Ok, so how do I get my money out without paying the 1% fee? I go to Blockchain.info -> import/export -> import -> import private key ? Will that transfer my wallet to blockchain and leave the wallet I already have in the same account alone?

Just checking because I don´t want to overwrite any current balance I have.

I guess my password was strong enough because I still have all of my bitcoins that I hold at strongcoin. But due to the increased price of bitcoin I should definitely diversify into more wallets.

...I tried to send my money to other BTC-adresses, but everytime a warning namend "undefinded" occured. What's wrong?  ???

I also asked via mail, but I didnt get an answer yet (one week ago).  :-\

I changed my password after this happened and it stated around 4 years to break it. Today I looked at my account and there is a transaction that cleared out my whole account (5.48134 BTC) 4 days ago.
Needless to say I'm not happy about it.

I've looked at my strongcoin and also on bitchain, not sure why but it shows a different address it went to or am I reading that wrong?

According to Strongcoin
From 1JE5dWuwo7z67VAAgzrfRUiNpvHsenhW5U
To    1PKSK8TyvQrCGjQbsbNVQNoo4ftcEiBUSk
   - 5.48 134

On Blockchain it shows
1GKVf2b4QTV3TzBUWFzT5FQbmhKBPU861m 5.48134135 BTC

Not sure if it is due to the same problem or there is a new problem. I've changed passwords again but now have nothing.

Here's the most valuable question in this thread: Who's the babe in your profile pic??